versioning IIS 6 xml metabase

TheMSsForum.com: The Microsoft Software Forum

Are there any guidelines or recommendations for or against versioning xml
configuration as part of SDLC process?

We are thinking about versioning a single xml metabase file in our SCM tool.
This single xml file would be the standard configuration to be used in
multiple environments such as dev, test, and prod. During deployment,
server-specific details such as ip addreses would be set by performing an XSL
transformation on the xml metabase.

The goal would be to
1) version IIS configuration as a single xml file
2) separate server-specifc configuration (ip addresses) from IIS configuration
3) merge server details and IIS configuration at deployment time

Does this seem reasonable, or what are some other ways to version / manage
changes to IIS configuration?
Top

RE: versioning IIS 6 xml metabase by wjzhang

wjzhang
Wed Apr 05 02:48:59 CDT 2006

Hi,

This is possible but a difficulty here is metabase also stores encrypted
user permission set(ACL) which is also machine specific. You can run
Metabase Explorer utility to have a look.

Internet Information Services (IIS) 6.0 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=56fc
92ee-a71a-4c73-b628-ade629c89499

The standard way to manage IIS metabase is still using its ADSI provider:

IIS ADSI Provider
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html
/5db1a0cc-bd28-467f-bd32-79d743a4fcc3.asp

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no rights.



Top

RE: versioning IIS 6 xml metabase by brutus

brutus
Wed Apr 05 12:01:02 CDT 2006

I do see the IUSR and IWAM passwords are encrypted. Metabase Explorer
indicates this by displaying the value in red with the test "***Secure
Data***".

What encryption algorithm does IIS use? It sounds reasonable that encrypted
values could be stored (in encrypted format) in the file containing
server-specific values. At deployment time, these setting are just another
value set by the transformation process.

During the development cycle, secure data values would be encrypted and
versioned in the xml file with server specific values.

""WenJun Zhang[msft]"" wrote:

> Hi,
>
> This is possible but a difficulty here is metabase also stores encrypted
> user permission set(ACL) which is also machine specific. You can run
> Metabase Explorer utility to have a look.
>
> Internet Information Services (IIS) 6.0 Resource Kit Tools
> http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=56fc
> 92ee-a71a-4c73-b628-ade629c89499
>
> The standard way to manage IIS metabase is still using its ADSI provider:
>
> IIS ADSI Provider
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html
> /5db1a0cc-bd28-467f-bd32-79d743a4fcc3.asp
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>
Top

RE: versioning IIS 6 xml metabase by brutus

brutus
Wed Apr 05 12:39:02 CDT 2006

This article
<http://thesource.ofallevil.com/technet/prodtechnol/WindowsServer2003/Library/IIS/aa7f3ea9-0639-475f-b6c7-883cbde6f3a0.mspx?mfr=true>

states the following:

"Do not manually change encrypted properties in MetaBase.xml. There is no
way to encrypt your data before inserting it by using Notepad or another text
editor. Only WMI, ADSI, or ABOs can be used to change the data in encrypted
properties."

I found the answer to my question. Encrypted values can only be set by
using an API. Transformation or search/replace will not work for encrypted
values.

If I wanted to pursue this further, I would look at setting encryptd values
as a post-transformation process where values "to be encrypted" are stored as
part of server-specific values. Of course, proper safeguards would be
necessary to protect clear text values that will be encrypted at deployment
time.

""WenJun Zhang[msft]"" wrote:

> Hi,
>
> This is possible but a difficulty here is metabase also stores encrypted
> user permission set(ACL) which is also machine specific. You can run
> Metabase Explorer utility to have a look.
>
> Internet Information Services (IIS) 6.0 Resource Kit Tools
> http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=56fc
> 92ee-a71a-4c73-b628-ade629c89499
>
> The standard way to manage IIS metabase is still using its ADSI provider:
>
> IIS ADSI Provider
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html
> /5db1a0cc-bd28-467f-bd32-79d743a4fcc3.asp
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>
Top

Re: versioning IIS 6 xml metabase by David

David
Thu Apr 06 02:03:40 CDT 2006

What you want to do is not really supported by metabase.xml. It isn't
something we intended to support, so we certainly have never tried it.

This is really something that we address with IIS7 configuration design
(distributed, xcopy deployable xml configuration). Basically, you will
forever need to hack with IIS6 configuration due to reasons such as:
- Metabase ACLs are machine-specific encrypted
- AnonymousUserPass, WAMUserPass, and UNCPassword are machine-specific
encrypted
- AnonymousUserName, WAMUserName, and UNCUserName are machine specific
- Filepaths in LogDirectory, Path, FilterPath, ScriptMap, HttpError are
machine specific

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"moke" <brutus@newsgroups.nospam> wrote in message
news:3974C872-45F1-4404-B6CF-222266575133@microsoft.com...
> This article
> <http://thesource.ofallevil.com/technet/prodtechnol/WindowsServer2003/Library/IIS/aa7f3ea9-0639-475f-b6c7-883cbde6f3a0.mspx?mfr=true>
>
> states the following:
>
> "Do not manually change encrypted properties in MetaBase.xml. There is no
> way to encrypt your data before inserting it by using Notepad or another
> text
> editor. Only WMI, ADSI, or ABOs can be used to change the data in
> encrypted
> properties."
>
> I found the answer to my question. Encrypted values can only be set by
> using an API. Transformation or search/replace will not work for
> encrypted
> values.
>
> If I wanted to pursue this further, I would look at setting encryptd
> values
> as a post-transformation process where values "to be encrypted" are stored
> as
> part of server-specific values. Of course, proper safeguards would be
> necessary to protect clear text values that will be encrypted at
> deployment
> time.
>
> ""WenJun Zhang[msft]"" wrote:
>
>> Hi,
>>
>> This is possible but a difficulty here is metabase also stores encrypted
>> user permission set(ACL) which is also machine specific. You can run
>> Metabase Explorer utility to have a look.
>>
>> Internet Information Services (IIS) 6.0 Resource Kit Tools
>> http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=56fc
>> 92ee-a71a-4c73-b628-ade629c89499
>>
>> The standard way to manage IIS metabase is still using its ADSI provider:
>>
>> IIS ADSI Provider
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html
>> /5db1a0cc-bd28-467f-bd32-79d743a4fcc3.asp
>>
>> Best regards,
>>
>> WenJun Zhang
>> Microsoft Online Partner Support
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>
>>


Top

Re: versioning IIS 6 xml metabase by wjzhang

wjzhang
Tue Apr 11 05:59:44 CDT 2006

Hi,

If you need further assistance on this issue, I'd like to sugguest you
contact our CSS for Advisory Services following the link below. Our
advisory service will help you analyze the specific sceanrios and
requirements of you and find out how to implement it. Thanks.

http://support.microsoft.com/default.aspx?pr=AdvisoryService

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no rights.



Top